Access to critical systems must be protected by a multi-factor authentication (MFA) mechanism.
Single-factor authentication mechanisms often offer poor security due to the weak, common or easy-to-guess passwords that users tend to set. There also exist several applications and sets of data whose sole purpose is breaking into systems protected by single-factor authentication. Therefore, critical systems should not rely only on this, but rather take advantage of the protection offered by multi-factor authentication (MFA).
CAPEC-16: Dictionary-based Password Attack. An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user’s account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations).
CAPEC-151: Identity Spoofing. Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content.
CAPEC-560: Use of Known Domain Credentials. An adversary guesses or obtains (i.e., steals or purchases) legitimate credentials (e.g., userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CIS Controls. 4.5 Use Use Multi-Factor Authentication for All Administrative Access. Use multi-factor authentication and encrypted channels for all administrative account access.
CIS Controls. 11.5 Manage Network Devices Using Multi-Factor Authentication and Encrypted Sessions. Manage all network devices using multi-factor authentication and encrypted sessions.
CIS Controls. 12.11 Require All Remote Logins to Use Multi-Factor Authentication. Require all remote login access to the organization’s network to encrypt data in transit and use multi-factor authentication.
CIS Controls. 16.3 Require Multi-Factor Authentication. Require multi-factor authentication for all user accounts, on all systems, whether managed on-site or by a third-party provider.
CWE-287: Improper Authentication When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CWE-304: Missing Critical Step in Authentication The software implements an authentication technique, but it skips a step that weakens Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content.the technique.
CWE-308: Use of Single-factor Authentication The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.
CWE-419: Unprotected Primary Channel The software uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.
CWE-654: Reliance on a Single Factor in a Security Decision A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.
NERC CIP-005-5. B. Requirements and measures. R2.3 Require multi-factor authentication for all Interactive Remote Access sessions.
OWASP Top 10 A2:2017-Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
OWASP Top 10 A5:2017-Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.
OWASP-ASVS v4.0.1 V1.2 Authentication Architectural Requirements.(1.2.4) Verify that all authentication pathways and identity management APIs implement consistent authentication security control strength, such that there are no weaker alternatives per the risk of the application.
OWASP-ASVS v4.0.1 V2.2 General Authenticator Requirements.(2.2.4) Verify impersonation resistance against phishing, such as the use of multi-factor authentication, cryptographic devices with intent (such as connected keys with a push to authenticate), or at higher AAL levels, client-side certificates.
OWASP-ASVS v4.0.1 V2.2 General Authenticator Requirements.(2.2.7) Verify intent to authenticate by requiring the entry of an OTP token or user-initiated action such as a button press on a FIDO hardware key.
OWASP-ASVS v4.0.1 V4.3 Other Access Control Considerations.(4.3.1) Verify administrative interfaces use appropriate multi-factor authentication to prevent unauthorized use.
OWASP-ASVS v4.0.1 V4.3 Other Access Control Considerations.(4.3.3) Verify the application has additional authorization (such as step up or adaptive authentication) for lower value systems, and/or segregation of duties for high value applications to enforce anti-fraud controls as per the risk of application and past fraud.
PCI DSS v3.2.1 - Requirement 6.5.8 Address common coding vulnerabilities in software-development processes including improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions).
PCI DSS v3.2.1 - Requirement 6.5.10 Address common coding vulnerabilities in software-development processes such as broken authentication and session management.
PCI DSS v3.2.1 - Requirement 8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE (Cardholder Data Environment) for personnel with administrative access.
PCI DSS v3.2.1 - Requirement 8.3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.